b'        OFFICE OF INSPECTOR GENERAL\n\n\n                                  Catalyst for Improving the Environment\n\n\n\nAudit Report\n\n\n\n\n        EPA\xe2\x80\x99s Computer Security\n        Self-Assessment Process\n        Needs Improvement\n\n        Report No. 2003-P-00017\n\n\n        September 30, 2003\n\x0cReport Contributors:              Ed Densmore\n                                  Debbie Hunter\n                                  Martin Bardak\n                                  Teresa Richardson\n                                  Michael Young\n                                  Bill Coker\n\n\n\n\nAbbreviations\n\nASSERT          Automated Security Self-Evaluation and Reporting Tool\nEPA             Environmental Protection Agency\nFISMA           Federal Information Security Management Act\nGISRA           Government Information Security Reform Act\nIT              Information Technology\nNIST            National Institute of Standards and Technology\nOEI             Office of Environmental Information\nOIG             Office of Inspector General\nOMB             Office of Management and Budget\n\x0c\x0c\x0c          Executive Summary\nManagement has taken positive actions to establish a computer security self-\nassessment process. However, additional areas need to be addressed to provide\ngreater assurance that the Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)\ninformation technology security is accurately measured.\n\nEPA\xe2\x80\x99s Office of Environmental Information (OEI) uses self-assessments to\ncollect security-related information about its systems and report the consolidated\nresults to the Office of Management and Budget. OEI took several significant\nactions to help program and regional personnel complete and report on self-\nassessments. OEI converted the self-assessment questionnaire into an Automated\nSecurity Self-Evaluation and Reporting Tool (ASSERT), a web-based format to\nfacilitate compiling and reporting results, and provided step-by-step instructions\non its use. Further, OEI reconciled EPA\xe2\x80\x99s system inventory to budget\ndocumentation.\n\nDespite these positive efforts, improvements are needed in order for the Agency\nto place reliance on its computer self-assessment process. Specifically:\n\n\xe2\x80\xa2\t Thirty-six percent of the critical self-assessment responses in our review were\n   inaccurate or unsupported. Approximately 9 percent were inaccurate and 27\n   percent unsupported. As a consequence, the responses to the self-assessment\n   questions we reviewed did not identify or support the current security status of\n   those systems.\n\n\xe2\x80\xa2\t EPA\xe2\x80\x99s system inventory did not identify all major applications. As a result,\n   not all major applications completed a self-assessment or were included in the\n   self-assessment for the applicable general support system.\n\n\xe2\x80\xa2\t EPA management did not provide proper oversight to ensure implementation\n   of authentication/identification security controls, which increased the\n   potential for unauthorized access, misuse, and system downtime.\n\n\xe2\x80\xa2\t EPA did not adequately plan for systems controls. As a result, management\n   authorized systems to operate without being provided adequate information on\n   the impact these risks had on operations.\n\nThese weaknesses were caused primarily because OEI does not have a systematic\nprogram to ensure that system controls are accurately presented and implemented\nthroughout the Agency. To improve the self-assessment process, OEI\xe2\x80\x99s Director\nfor Technology, Operations, and Planning needs to implement a systematic\nmonitoring and evaluation program. Only then can management place reliance on\nthe collected data and make informed judgments and investments.\n\n\n                                 i\n\x0cIn a memorandum dated July 15, 2003, OEI\xe2\x80\x99s Director for Technical Information\nSecurity responded to our draft report (Appendix B) and concurred with most of\nour recommendations. However, OEI raised concerns regarding the breadth of\nsome finding statements, and did not agree that the audit\xe2\x80\x99s sampling and\nevaluation methodology supported a broad, Agency-wide conclusion regarding all\ntechnical controls. As such, we modified the report to clarify that the findings\npertained to the critical self-assessment questions and responses we reviewed.\nFurthermore, although the sample was judgmental, we believe the national\nsystems selected provided adequate coverage of EPA\xe2\x80\x99s program offices, as well\nas different types of Agency data (e.g., financial, enforcement/compliance, and\nsystems containing environmental data). However, we modified the report\nlanguage from \xe2\x80\x9ctechnical controls\xe2\x80\x9d to \xe2\x80\x9cauthentication/identification controls\xe2\x80\x9d in\norder to more specifically reflect the work that was performed.\n\n\n\n\n                                ii\n\x0c                                        Table of Contents\n\nExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .     i\n\n\n\n\n Chapters\n\n            1        Introduction         .................................................                                                1\n\n\n            2        Security Self-Assessments Contain Unreliable Data . . . . . . . . . . . . . . . . . .                                 5\n\n\n            3        Systems Inventory Incomplete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                    9\n\n\n            4        Greater Oversight of Authentication/Identification Controls Needed . . . . . .                                       13 \n\n\n            5        Security Plans Not Sufficient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            15 \n\n\n\n\n Appendices\n\n            A        Details on Scope and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                     19 \n\n\n            B        Agency Response to Draft Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                    21 \n\n\n            C        NIST Control Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .            29 \n\n\n            D        Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   31 \n\n\n\n\n\n                                                                      iii\n\x0c\x0c                                Chapter 1\n                                Introduction\n\nPurpose\n\n          The objective of this audit was to review the Agency\xe2\x80\x99s policies, procedures, and\n          practices regarding EPA\xe2\x80\x99s self-assessment of major applications and general\n          support systems. Specifically, we determined whether:\n\n          \xe2\x80\xa2\t Computer security self-assessments were accurate and complete.\n\n          \xe2\x80\xa2\t EPA identified all major applications.\n\n          \xe2\x80\xa2\t Major application systems used authentication and identification controls to\n             protect against unauthorized access or misuse.\n\n          \xe2\x80\xa2\t Systems security plans were documented, approved, and reviewed, and were\n             consistent with National Institute of Standards and Technology (NIST)\n             guidance.\n\n          We initially planned to identify both general support systems and major\n          applications. Due to a software limitation involving EPA\xe2\x80\x99s network, we could not\n          verify that all general support systems were listed on the systems inventory.\n\nBackground\n\n          The Federal Information Security Management Act (FISMA) and its predecessor,\n          the Government Information Security Reform Act (GISRA), require all Federal\n          agencies to conduct annual reviews of their security program and to report the\n          results of those assessments to the Office of Management and Budget (OMB).\n          OMB reviews the assessment results to determine how well agencies\n          implemented security requirements. Starting in fiscal 2002, OMB directed\n          agencies to use the Federal Information Technology (IT) Security Assessment\n          Framework developed by the Federal Chief Information Officers Council, as well\n          as the self-assessment methodology developed by and outlined in NIST Special\n          Publication 800-26, to conduct these reviews.\n\n          Self-assessments provide a method for agency officials to determine the current\n          status of the overall information security program and, where necessary, establish\n          targets for improvement. The self-assessment methodology developed by NIST\n          includes a questionnaire to help agencies assess how well information security\n          controls have been implemented on every general support system and major\n\n\n                                           1\n\x0c         application. The NIST self-assessment questionnaire utilizes an extensive list of\n         specific control objectives and techniques against which the security of a system\n         can be measured. The questionnaire is comprised of over 200 questions that\n         address 34 critical elements of security. To measure the progress of effectively\n         implementing the needed security control, five levels of effectiveness are used to\n         assess each security control question, as shown in Table 1:\n\n                             Table 1: Five Levels of Security Effectiveness\n\n           Level       Name                                 Description\n\n             1      Policy           Control objective is documented in a security policy\n\n             2      Procedures       Security controls are documented as procedures\n\n             3      Implemented      Procedures have been implemented\n\n             4      Tested           Procedures and security controls are tested and reviewed\n\n             5      Integrated       Procedures and security controls are fully integrated into a\n                                     comprehensive program\n\n\n\n         These five levels provide a standardized approach to assessing the status of\n         security controls for major applications and general support systems. Per NIST\n         guidance, the method for answering the questions can be based primarily on an\n         examination of relevant documentation and a rigorous examination and test of the\n         controls.\n\n         During fiscal 2002, EPA\xe2\x80\x99s Office of Environmental Information (OEI) developed\n         EPA\xe2\x80\x99s Automated Security Self-Evaluation and Reporting Tool (ASSERT), a\n         web-based version of NIST 800-26 Security Self-Assessment Guide for\n         Information Technology Systems questionnaire. OEI subsequently tasked system\n         owners to complete a self-assessment for every major application and general\n         support system.\n\nScope and Methodology\n\n         We conducted audit field work from January 2003 to April 2003 at EPA\n         Headquarters and Regions 1, 2, 3, 5, and 6. To accomplish this audit\xe2\x80\x99s objectives,\n         we used a variety of Federal and Agency criteria, including OMB Circular A-130,\n         various NIST Special Publications, and several EPA Directives (see Appendix A).\n         We conducted this audit in accordance with Government Auditing Standards,\n         issued by the Comptroller General of the United States. We reviewed selected\n         NIST self-assessment questions, EPA\xe2\x80\x99s system inventory, and selected system\n         security plans. In addition, we reviewed and tested authentication/identification\n         controls at selected locations. The sampling methodologies provided coverage of\n         EPA\xe2\x80\x99s program offices, as well as different types of Agency data (e.g., financial,\n\n\n                                           2\n\x0c          enforcement/compliance, and systems containing environmental data). Further\n          details on audit scope and methodology are included in Appendix A.\n\nPrior Audit Coverage\n\n             EPA OIG Report No. 2003-P-00009, EPA Undertaking Implementation\n             Activities to Protect Critical Cyber-Based Infrastructures, Further Steps\n             Needed, dated March 27, 2003: This report focused on the adequacy of EPA\n             activities for protecting its IT infrastructure and, among other things,\n             recommended that EPA revise security plans for IT systems critical to its\n             cyber-based infrastructure so that they meet NIST requirements.\n\n             EPA OIG Report No. 2002-S-00017, Government Information Security\n             Reform Act: Status of EPA Computer Security Program, dated September 16,\n             2002: This report noted that while EPA has made progress in strengthening\n             its security program, management must continue to seek improvements in the\n             areas of risk assessments, effective oversight processes, and training\n             employees with significant security responsibilities.\n\n\n\n\n                                         3\n\x0c4\n\n\x0c                              Chapter 2\n  Security Self-Assessments Contain Unreliable Data\n            Our review of selected critical self-assessment responses identified 36 percent\n            that were inaccurate or unsupported. As a consequence, the responses to the\n            self-assessment questions we reviewed did not identify or support the current\n            security status of those systems. The inaccurate responses occurred because\n            OEI issued Guidance for Reviewing ASSERT Responses to GISRA-related\n            Questions that was not consistent with NIST guidance. In addition, OEI did\n            not systematically monitor or evaluate the system owner responses to verify\n            the responses were accurate or supported.\n\nResults of Review\n\n              Thirty-six percent (78 of 216) of the critical self-assessment questions we\n              examined were inaccurate or unsupported. Approximately 9 percent of\n              system owners responses were inaccurate, and 27 percent were unsupported.\n              We determined a response to be \xe2\x80\x9cinaccurate\xe2\x80\x9d if the system owner\xe2\x80\x99s\n              supporting documentation was not consistent with the data reported in the\n              system self-assessment. We determined a response to be \xe2\x80\x9cunsupported\xe2\x80\x9d if\n              the system owner did not provide any documentation. For example:\n\n              \xe2\x80\xa2\t Ten of 17 systems owners that responded \xe2\x80\x9cimplemented\xe2\x80\x9d to the question,\n                 \xe2\x80\x9cIs the contingency plan approved by key affected parties?\xe2\x80\x9d did not\n                 provide the OIG a copy of an approved contingency plan.\n\n              \xe2\x80\xa2\t Nine of 16 systems owners that responded \xe2\x80\x9cimplemented\xe2\x80\x9d to the\n                 question, \xe2\x80\x9cDoes the budget request include the security resources\n                 required for the system?\xe2\x80\x9d did not provide supporting budget\n                 documentation to the OIG.\n\n              \xe2\x80\xa2\t Eight of the 27 systems owners did not have supporting documentation\n                 for 50 percent or more of their responses.\n\n              As a consequence, the responses to the self-assessment questions we\n              reviewed did not identify or support the current security status of those\n              systems. OEI reported to OMB a Plan of Actions and Milestones to correct\n              the system weakness for each question that did not have an \xe2\x80\x9cimplemented\xe2\x80\x9d\n              response. Therefore, our review disclosed that Agency\xe2\x80\x99s Plan of Actions and\n              Milestones may not have included all necessary action items due to\n              inaccurate or unsupported responses.\n\n              We determined system owners did not provide accurate responses to the self-\n              assessment questionnaire, in part, because OEI\xe2\x80\x99s guidance to system owners\n              was inconsistent with NIST guidance. For example, in the question \xe2\x80\x9cHas a\n\n\n                                          5\n\x0ccontingency plan been developed and tested?\xe2\x80\x9d OEI\xe2\x80\x99s guidance directed the\nsystem owner to respond \xe2\x80\x9cimplemented\xe2\x80\x9d as long as the system had a\ncontingency plan in place. Although some system owners had developed a\ncontingency plan, we determined that most plans had not been tested. To be\nconsistent with NIST guidance, these system owners should have responded\n\xe2\x80\x9cprocedures\xe2\x80\x9d rather than \xe2\x80\x9cimplemented\xe2\x80\x9d to this question. We conferred with\nthe author of NIST 800-26 regarding interpretation of this question and\nconfirmed that system owners only should respond \xe2\x80\x9cimplemented\xe2\x80\x9d when the\nsystem contingency plan has been tested.\n\nAnother self-assessment question asked, \xe2\x80\x9cAre tests and examinations of key\ncontrols routinely made, e.g., network scans, analyses of router and switch\nsettings, penetration testing?\xe2\x80\x9d OEI guidance directed the system owner to\nrespond \xe2\x80\x9cimplemented\xe2\x80\x9d if the system is subjected to routine monitoring by\none of the Agency\xe2\x80\x99s automated monitoring tools (Bindview or Enterprise\nSecurity Manager). While we agree that the Agency\xe2\x80\x99s automated monitoring\ntools examine technical controls, they do not examine management and\noperational controls, which should be included in \xe2\x80\x9cexamination of key\ncontrols.\xe2\x80\x9d NIST confirmed this question includes routinely testing\nmanagement, operational, and technical controls.\n\nFurthermore, some system owners relied upon statements from system\noperators or other individuals to formulate responses without obtaining or\nmaintaining documentation to support the veracity of each response. For\nexample, many of the system owners that responded \xe2\x80\x9cimplemented\xe2\x80\x9d to the\nquestion \xe2\x80\x9cIs the system security plan approved by key affected parties and\nmanagement?\xe2\x80\x9d could not produce a copy of the approved security plan.\nThese system owners could not support the \xe2\x80\x9cimplemented\xe2\x80\x9d response. Also, 2\nof the 27 system owners did not respond to the OIG\xe2\x80\x99s repeated requests for\nsupport documents.\n\nWhile OEI has performed a variety of monitoring security activities, these\nactivities did not include the systematic monitoring and evaluation of the\nself-assessment responses. OEI believes the accuracy of the self-assessments\nis first and foremost the responsibility of the senior agency official who owns\nthe system(s). While we agree that the assigned senior agency official has a\nresponsibility for providing accurate information concerning the system\xe2\x80\x99s\nsecurity controls, FISMA 3544 (3) states \xe2\x80\x9cthe head of each agency shall\ndelegate to the agency Chief Information Officer the authority to ensure\ncompliance with the requirements imposed on the agency,\xe2\x80\x9d including\ndesignating a senior agency information security officer who shall head an\noffice with the mission and resources to assist in ensuring agency\ncompliance. In our opinion, \xe2\x80\x9censuring agency compliance\xe2\x80\x9d should include\nsystematic monitoring and evaluation of the security self-assessment\nresponses, since such oversight activities will help ensure that the Agency\xe2\x80\x99s\nquarterly report to OMB accurately reflects the effectiveness of EPA\xe2\x80\x99s\ninformation security program.\n\n\n                            6\n\x0cRecommendations\n\n            We recommend that the Director for Technology, Operations, and Planning:\n\n            2-1.\t   Direct system owners to use NIST 800-26 to answer the security\n                    control objectives listed in ASSERT or ensure additionally issued\n                    guidance is consistent with NIST 800-26.\n\n            2-2.\t   Direct system owners to obtain and maintain the documentation to\n                    support self-assessment responses and provide such documentation to\n                    the OIG upon request.\n\n            2-3.\t   Develop and implement a program that systematically monitors and\n                    evaluates the system security self-assessment responses.\n\nAgency Comments and OIG Evaluation\n\n            In a memorandum dated July 15, 2003, OEI\xe2\x80\x99s Director for Technical\n            Information Security responded to our draft report (see Appendix B). In\n            summary, OEI concurred with the report recommendations, but raised\n            concerns regarding the breadth of some finding statements. We modified the\n            report language to clarify that the findings pertained to the critical self-\n            assessment questions and responses we reviewed. We also amended the\n            report to emphasize that we conferred with appropriate NIST personnel, who\n            concurred with our interpretation of their guidance related to self-assessment\n            questions on contingency plans and testing of key controls. In responding to\n            the recommendations, OEI stated it is establishing a procedure under the\n            Agency Network Security Policy to require the use of applicable NIST\n            guidance as the basis of all Agency IT-related policies and procedures. In\n            addition, OEI has dedicated some of its employees to an Agency-wide testing\n            and evaluation program. Subsequent discussions with OEI also resulted in\n            an additional recommendation pertaining to the maintenance of support\n            documentation for security self-assessments. In our view, the corrective\n            actions described in the response are appropriate and should, when fully\n            implemented, respond adequately to the recommendations.\n\n\n\n\n                                        7\n\x0c8\n\n\x0c                               Chapter 3\n               Systems Inventory Incomplete\n              ASSERT, EPA\xe2\x80\x99s system inventory for security purposes, did not identify all\n              major applications. As a result, not all major applications had a completed\n              security self-assessment, which could impact the overall information security\n              status of the Agency. Although OEI took steps to ensure an accurate\n              inventory of major application systems was obtained, they relied solely on\n              the systems owners to identify which systems met the criteria for a major\n              application or general support system, without systematically evaluating the\n              system owners\xe2\x80\x99 responses.\n\nResults of Review\n\n              We determined that ASSERT did not include all major applications. OMB\n              requires that all major applications and general support systems be reported\n              under FISMA. FISMA states the head of each Agency shall ensure that\n              senior agency officials provide information security for the information and\n              information systems that support the operations and assets under their\n              control. In addition, it states the Chief Information Officer will designate a\n              senior agency information security officer who shall head an office with the\n              mission and resources to assist in ensuring agency compliance with FISMA\n              requirements.\n\n              We determined an information system to be a major application if it met\n              OMB\xe2\x80\x99s definition, as stated in Circular A-130, Appendix III, Security of\n              Federal Information Resources. OMB states a \xe2\x80\x9cmajor application\xe2\x80\x9d requires\n              special attention to security due to the risk and magnitude of the harm\n              resulting from the loss, misuse, or unauthorized access to or modification of\n              the information in the application. In addition, a \xe2\x80\x9csystem\xe2\x80\x9d can refer to a set\n              of processes, communications, storage, and related resources that are tied\n              together by logical boundaries.\n\n              Whether the system includes one application or consists of multiple\n              applications residing on a general support system, NIST stipulates that all\n              applications should be (1) classified as either a major application or general\n              support system, and (2) be covered by a security plan. Finally, NIST states\n              that a security self-assessment should be completed for every major\n              application and general support system.\n\n              We found ASSERT did not include the following seven systems that either\n              qualify as major applications or were not included in the self-assessment of\n              one of EPA\xe2\x80\x99s general support systems, as shown in Table 2:\n\n\n                                          9\n\x0c                         Table 2: Systems Not Included in ASSERT\n\n                                 Program\n      System Name                 Office                        Explanation\n\n   Asbestos Receivable        Office of Chief     Should be a major application. System\n   Tracking System            Financial Officer   contains loan receivable information that\n                                                  is confidential in nature.\n   Inter-Agency Document      Office of Chief     Should be a major application because\n   Online Tracking System     Financial Officer   data includes confidential business\n                                                  information and has high integrity\n                                                  requirements.\n   Working Capital Fund       Office of Chief     Currently not classified. System should\n   Workload and Billing       Financial Officer   be recognized and accounted for in the\n   System                                         security plan and self-assessment of an\n                                                  EPA general support system.\n   Water Assessment           Office of Water     Inadvertently deleted from ASSERT\n   Treatment Results                              2003, although it was included in prior\n   System                                         year inventory.\n   Bankcard System            Office of Chief     Should be a major application. System\n                              Financial Officer   must be highly accurate and reliable in\n                                                  order to correctly modify bankcard\n                                                  commitments, create obligations, and\n                                                  prepare payment transactions.\n   Small Purchase             Office of Chief     Should be a major application because of\n   Tracking System            Financial Officer   high integrity requirements.\n   Electronic Approval        Office of Chief     Currently not classified. System should\n   System                     Financial Officer   be recognized and accounted for in the\n                                                  security plan and self-assessment of an\n                                                  EPA general support system.\n\n\n\n\nAs a result, not all major applications completed a self-assessment of security\ncontrols and related operational practices or were included in the self-assessment for\nthe applicable general support system. Self-assessments provide a method for\nAgency officials to determine the current status of their information security\nprogram and, where necessary, establish a target for improvement. Without a full\naccounting of major application systems, Agency officials cannot fully understand\nthe current status of their information security program and controls in order to make\ninformed judgments and investments that appropriately mitigate risks to an\nacceptable level.\n\nAlthough OEI took steps to obtain an accurate inventory of major application\nsystems, its efforts were not sufficient. For example, in July 2002, OEI sent a\nmemorandum to EPA\xe2\x80\x99s Information Security Officers that identified OMB\xe2\x80\x99s\ndefinitions for general support systems and major applications. In addition, OEI\nreconciled EPA\xe2\x80\x99s inventory to budget documentation, to identify systems that had\n\n\n                                      10\n\x0c         not been reported that should have been. Also, OEI instructed Information\n         Security Officers to perform a self-assessment of their respective systems or take\n         action to remove systems that did not meet the criteria of a major application.\n         Despite these actions, major applications were omitted from ASSERT or were not\n         included in the applicable general support system self-assessment. This occurred\n         because OEI relied on systems owners to identify which systems met the criteria\n         for a major application or general support system without systematically\n         evaluating the system owners responses. In addition, the general support system\n         security plan for the Agency\xe2\x80\x99s mainframe computer did not include non-major\n         applications that reside on the system.\n\nRecommendations\n\n        We recommend that the Director for Technology, Operations, and Planning:\n\n          3-1.\t       Direct general support system owners to include all applications\n                      residing on the system in the system\xe2\x80\x99s security plan.\n\n          3-2.\t       Coordinate with system owners to amend ASSERT to add the missing\n                      major applications noted in this report.\n\n          3-3.\t       Develop and implement a program that systematically monitors and\n                      evaluates system classification.\n\nAgency Comments and OIG Evaluation\n\n          OEI concurred with the recommendations, and indicated it will (1) coordinate\n          with the system owners to ensure the systems in question are included in the\n          system inventory, unless the system owners can provide adequate documentation\n          to the contrary; and (2) make a diligent effort, under its quality assurance\n          program, to validate that all major applications and general support systems are\n          properly classified and accounted for. Furthermore, our discussions with OEI\n          representatives led to another report recommendation to ensure that general\n          support systems security plans account for all system applications. In our view,\n          the corrective actions described in the response are appropriate and should, when\n          fully implemented, respond adequately to the recommendations.\n\n\n\n\n                                          11\n\x0c12\n\n\x0c                               Chapter 4\n   Greater Oversight of Authentication/Identification\n                       Controls Needed\n           EPA management did not provide proper oversight to ensure implementation of\n           authentication/identification controls, such as periodic reviews of system access\n           listings to ensure that only authorized individuals have access to each system and\n           that access levels are appropriate. As a result, the potential for unauthorized\n           access, misuse, and system downtime was increased. This occurred because OEI\n           management relied on authentication/identification control information\n           submitted by program and regional offices without validating its reliability.\n\nResults of Review\n\n           OEI did not provide sufficient oversight for authentication and identification\n           controls to ensure systems were protected against unauthorized access and\n           misuse. While we recognize that OEI is not directly responsible for\n           implementing authentication/identification controls, the E-Government Act of\n           2002 charges the senior agency information security officer to head an office\n           with the mission and resources to assist in ensuring agency compliance with\n           FISMA requirements. As such, OEI is accountable for ensuring that EPA\xe2\x80\x99s\n           managers implement and maintain appropriate security controls.\n\n           We identified program and regional offices that had not properly implemented\n           access controls over selected IT systems. Some system managers did not\n           periodically review access lists to verify that users needed access to the system\n           and that the levels of access were appropriate. For example, periodic reviews of\n           user access lists and users\xe2\x80\x99 authorization levels were not conducted on three of\n           the six systems reviewed. As a result, users were assigned greater authorization\n           levels than necessary and some users retained access rights after they no longer\n           required them. These control weaknesses increased the potential for the\n           manipulation and/or misuse of systems.\n\n           Also, our examination of user access listings disclosed that Agency systems had\n           not been assigned adequate personnel to ensure the availability of the systems to\n           users, which can increase system downtime. For example, two of the six systems\n           reviewed only empowered one person with the authority to grant or coordinate\n           access for other users. Continued availability is very important for these\n           systems, since their respective security plans state \xe2\x80\x9cnon-availability of systems\n           or data would impair the Agency\xe2\x80\x99s long-term ability to accomplish its mission.\xe2\x80\x9d\n           These systems are used to support compliance/enforcement-related activities for\n           the national pesticides program.\n\n\n\n                                          13\n\x0c          We are currently drafting a separate report to system owners addressing the\n          system-specific weaknesses we found with regard to user access and\n          authorization levels, maintaining system availability, and the need for more\n          frequent oversight of these authentication/identification controls.\n\n          The noted weaknesses occurred, in part, because OEI had not implemented a\n          comprehensive monitoring and evaluation program to ensure system managers\n          comply with established practices governing implementation of controls.\n          Instead, OEI relied on information submitted by the program and regional offices\n          without validating the information. Sufficient oversight for the implementation\n          of authentication/identification controls will help ensure system managers are\n          periodically reviewing user access listings and that the Agency\xe2\x80\x99s IT systems are\n          available to users. Furthermore, OEI\xe2\x80\x99s oversight of the implementation of\n          security controls will help detect and subsequently assist in preventing\n          unauthorized access and misuse of the Agency\xe2\x80\x99s IT systems.\n\nRecommendation\n\n          We recommend that the Director for Technology, Operations, and Planning:\n\n           4-1. \t    Develop and implement a comprehensive program that systematically\n                     monitors and evaluates the implementation of\n                     authentication/identification controls.\n\nAgency Comments and OIG Evaluation\n\n          OEI\xe2\x80\x99s response to the draft report indicated it does not agree that the audit\n          sampling and evaluation methodology supports a broad, Agency-wide\n          conclusion for all technical controls. As such, OEI did not concur with the\n          recommendation. Although the sample was judgmental, we believe the national\n          systems selected provided adequate coverage of EPA\xe2\x80\x99s program offices, as well\n          as different types of Agency data (e.g., financial, enforcement/compliance, and\n          systems containing environmental data). However, we modified the report\n          language and recommendation for this chapter, changing \xe2\x80\x9ctechnical controls\xe2\x80\x9d to\n          \xe2\x80\x9cauthentication/identification controls,\xe2\x80\x9d in order to more specifically reflect the\n          work that was performed.\n\n\n\n\n                                          14\n\x0c                               Chapter 5\n                 Security Plans Not Sufficient\n           EPA did not adequately address controls in its information system security plans.\n           Our review disclosed that security plans omitted or lacked sufficient details\n           regarding security controls, such as logical access to system data, contingency\n           plans, and planned reviews of system security controls. Systems security plans\n           should comply with NIST guidance by describing controls in place or planned.\n           As a result, management authorized systems to operate without being provided\n           adequate information on the impact that existing risks may have on operations.\n           This weakness occurred, in part, because EPA\xe2\x80\x99s security planning guidance had\n           not been revised to include NIST requirements. Also, several system owners\n           used previous security plans that did not comply with NIST as examples to\n           develop or update the current plans.\n\nResults of Review\n\n           Our review of selected security plans disclosed that system controls were not\n           adequately planned for in Agency information systems. The system security\n           plans reviewed showed that management, operational, and technical controls\n           were either not included or lacked sufficient details when compared to guidelines\n           found in NIST Special Publication 800-18, Guide for Developing Security Plans\n           for Information Technology Systems.\n\n           OMB Circular A-130, Appendix III, Security of Federal Automated Information\n           Resources, requires management to develop security plans that are consistent\n           with NIST guidelines. Furthermore, management\xe2\x80\x99s authorization to operate an\n           IT system should be based on an assessment of management, operation, and\n           technical controls, as documented in the system\xe2\x80\x99s security plan.\n\n           To determine the adequacy of EPA system security plans, we reviewed a\n           judgmental sample of 18 security plans. To ensure we reviewed security plans\n           of systems that are both mission critical and representative of EPA\xe2\x80\x99s major\n           financial, administrative, and programmatic systems, we selected our sample\n           from a universe of plans that have benefitted from prior OEI oversight reviews.\n           For each of the security plans reviewed, we evaluated 26 security control\n           elements, defined in NIST 800-18, to ensure each element met the specified level\n           of detail. For example, to meet the level of detail NIST outlined for the \xe2\x80\x9creview\n           of security controls,\xe2\x80\x9d each security plan would need to:\n\n           \xe2\x80\xa2\t List any independent security reviews conducted on the system during the\n              last three years.\n\n\n\n                                          15\n\x0c \xe2\x80\xa2\t Include information about the type of security evaluation performed, who\n    performed the review, the purpose of the review, the findings, and the actions\n    taken as a result.\n\n We summarized our results for each of the 26 major control elements and\n calculated the percentage of reviewed security plans that were not consistent\n with NIST guidelines. The following Table 3 identifies those control elements\n that resulted in the highest percentages of noncompliance with NIST, either\n because the element was missing from security plans or because the plans did not\n contain a sufficient level of detail. Additional information on NIST contol\n elements and our compliance percentages will be made available upon request.\n\n                  Table 3: Security Plan Reconciliation to NIST 800-18\n\n\n                   NIST Control Elements *                        Non-compliance\n\nMajor Application: Application Software Maintenance\nControls\n                                                                       100%\nGeneral Support System: Hardware System Software\nMaintenance Controls\n\nReviews of security controls                                             86%\n\nIdentification and Authentication controls                               86%\n\nMajor Application: Data Integrity/Validation Controls\n                                                                         85%\nGeneral Support System: Integrity Controls\n\nLogical Access Controls                                                  85%\n\nContingency Planning                                                     79%\n\nAudit Trails                                                             79%\n\nPersonnel Security                                                       79%\n\nAuthorized Processing                                                    64%\n\n\n * For a description of these control elements, see Appendix C.\n\nAs a result, management was authorizing systems to operate without being\nprovided adequate information on the impact these risks can have on operations.\nIn addition, a security plan that does not comply with Federal regulations limits\nmanagement\xe2\x80\x99s assurance that the system\xe2\x80\x99s owner has identified all applicable\nsecurity requirements.\n\nThese deficiencies occurred because EPA\xe2\x80\x99s guidance for developing a system\nsecurity plan \xe2\x80\x93 the Information Security Planning Guidance \xe2\x80\x93 had not been revised\n\n\n\n                                    16\n\x0c        since NIST issued guidance on creating a system security plan in 1998. Our\n        review of the Information Security Planning Guidance determined that it does not\n        completely define all key points that NIST 800-18 outlines for inclusion in major\n        application and general support system security plans. For example, EPA\xe2\x80\x99s\n        Information Security Planning Guidance does not:\n\n        \xe2\x80\xa2\t Require documenting the risk assessment methodology used to identify threats\n           and vulnerabilities.\n\n        \xe2\x80\xa2\t Define the level of detail required by NIST for Personnel Security measures\n           pertaining to levels of sensitivity and access.\n\n        \xe2\x80\xa2\t Identify general support system requirements for contingency planning.\n\n        \xe2\x80\xa2\t Identify the need to develop a security plan for a system at the \xe2\x80\x9cinitiation\n           phase\xe2\x80\x9d of the System Development Life Cycle.\n\n        We also found that several system owners used previous security plans, which did\n        not comply with NIST, as examples to update the current plans. In addition, a\n        systematic monitoring and evaluation process was not in place to ensure that\n        security plans met NIST requirements.\n\nRecommendations\n\n          We believe that the Agency\xe2\x80\x99s Information Security Planning Guidance needs to\n          be revised to align itself with NIST requirements. However, we will not\n          reiterate that need because it is addressed in EPA OIG Report 2003-P-00009,\n          EPA Undertaking Implementation Activities to Protect Critical Cyber-Based\n          Infrastructures, Further Steps Needed, dated March 27, 2003.\n\n          We recommend that the Director for Technology, Operations, and Planning:\n\n          5-1.\t       Establish a completion date as to when all EPA systems security\n                      plans will be revised to comply with security plan controls defined in\n                      NIST 800-18 guidance, and ensure individual security plans are\n                      revised as scheduled.\n\n          5-2.\t       Establish a process which systematically monitors and evaluates\n                      systems security plans to ensure they comply with NIST guidelines.\n\n\n\n\n                                         17\n\x0cAgency Comments and OIG Evaluation\n\n           In its response to the draft report, OEI concurred with our initial\n           recommendation but took exception to how the results of our review were\n           presented in Table 3. We modified the report to clarify that Table 3 identifies\n           security plan elements that, based on our review, resulted in the highest\n           percentages of noncompliance with NIST guidelines. Based on subsequent\n           discussions with OEI representatives, we have included an additional\n           recommendation for establishing a process to ensure systems\xe2\x80\x99 security plans\n           comply with NIST guidelines. OEI\xe2\x80\x99s response indicated that it has formally\n           adopted NIST 800-18 as the basis for Agency security plans. Moreover, it will\n           give priority to ensuring that new system security plans and major revisions to\n           existing plans are consistent with NIST. Per discussion with OEI management,\n           the remaining security plans will be revised in accordance with the established\n           three year review cycle. In our opinion, the planned corrective actions are\n           appropriate.\n\n\n\n\n                                         18\n\x0c                                                                                   Appendix A\n\n                 Details on Scope and Methodology\nTo accomplish this audit\xe2\x80\x99s objectives, we used a variety of Federal and Agency regulatory\ndocuments, including:\n\n\xe2\x80\xa2 A-130, Appendix III, Security of Federal Automated Information Resources,\n\xe2\x80\xa2 NIST Special Publications:\n     -      800-14, Principles and Practices for Securing IT Systems\n     -      800-18, Guide for Developing Security Plans for Information Technology Systems\n     -      800-26, Security Self-Assessment Guide for Information Technology Systems\n     -      800-30, Risk Management Guide for Information Technology Systems\n\xe2\x80\xa2 EPA Directive 2195 A1, Information Security Manual\n\xe2\x80\xa2 EPA Directive 2195.1 A4, Agency Network Security Policy\n\xe2\x80\xa2 EPA\xe2\x80\x99s Information Security Planning Guidance\n\nThe focus of this audit was to review EPA\xe2\x80\x99s policies, procedures, and practices regarding\nsystems\xe2\x80\x99 security self-assessments completed during fiscal 2002. We analyzed various\nsupporting documentation and technical controls, and interviewed key EPA personnel. The\nspecific methodology for reviewing and validating self-assessment data, EPA\xe2\x80\x99s system inventory,\nauthentication/identification controls, and security plans, follows:\n\nSelf-Assessment Data\n\nTo determine whether the self-assessments were accurate and supported, we randomly selected a\nsample of systems from the Agency\xe2\x80\x99s ASSERT system, dated November 6, 2002. Specifically,\nwe reviewed system self-assessment responses for eight critical questions, selected by OEI, to\ndetermine whether those responses were accurate and supportable. During fiscal 2002, OEI\nprovided system owners additional guidance on how to respond to these eight questions, and we\ntook that additional guidance into account. We reviewed the system owners\xe2\x80\x99 responses for 27\nsystems to determine whether the self-assessment responses were adequately supported. We\ndetermined a response to be \xe2\x80\x9cinaccurate\xe2\x80\x9d if the system owner\xe2\x80\x99s supporting documentation was not\nconsistent with the data in the self-assessments and \xe2\x80\x9cunsupportable\xe2\x80\x9d if the system owners did not\nprovide any documentation.\n\nSystem Inventory\n\nTo determine whether all major applications were listed on EPA\xe2\x80\x99s inventory, we reviewed EPA\xe2\x80\x99s\nEnterprise Architecture and reconciled the systems listed to the major applications listed in\nASSERT. In addition we reconciled ASSERT to the systems reported as major applications in\nEPA\xe2\x80\x99s 2002 budget submission to OMB (i.e., OMB Exhibits 53 and 300B). For those systems we\ncould not reconcile, we reviewed some Memorandums of Understanding between the offices\nresponsible for the systems and interviewed EPA personnel to determine whether these systems\n\n\n\n                                               19\n\x0cmet the criteria of a major application. In addition, we discussed interpretation of NIST 800-26\nwith NIST personnel.\n\nAuthentication/Identification Controls\n\nWe judgmentally sampled six national systems from the universe of major applications listed in\nASSERT. The systems selected provided coverage of EPA\xe2\x80\x99s program offices, as well as different\ntypes of Agency data (e.g., financial, enforcement/compliance, and systems containing\nenvironmental data). We reviewed these systems at five regional locations to determine whether\nauthentication/identification controls were implemented. We performed testing to determine\nwhether selected major application systems had adequate authentication and identification\ntechniques, as defined by NIST 800-26. Furthermore, we verified that users listed on the access\nlisting still needed access, and tested their respective levels of access to ensure they were\nappropriate. Also, we reviewed systems coordinator/administrator listings to determine whether\nadequate personnel had been assigned to ensure the availability of the systems to users.\n\nSecurity Plans\n\nWe judgmentally selected a sample of 18 security plans from the universe of plans OEI used to\nconduct its 2002 \xe2\x80\x9ccompleteness review.\xe2\x80\x9d We evaluated the systems security plans\xe2\x80\x99 contents to\nensure they included and met the required level of detail described in NIST 800-18. Additionally,\nwe reviewed the Agency\xe2\x80\x99s Information Security Planning Guidance to determine whether the\nguidance defined all key points contained in NIST 800-18.\n\n\n\n\n                                                20\n\x0c                                  Appendix B\n\nAgency Response to Draft Report\n\n\n\n\n              21\n\n\x0cOEI appreciates the opportunity to provide comments on the draft audit. We are very anxious to work with\nyou to ensure the effectiveness of the Agency\xe2\x80\x99s information security program through audits and evaluations.\nThe combination of OIG independent evaluations and CIO implementation and oversight, as envisioned by\nFISMA and OMB guidance, will keep EPA in the forefront of Federal IT security. We believe that resolution\nof the issues raised by this audit will strengthen both our roles.\n\nPlease feel free to contact me (202-566-0304) to discuss any of our comments in more detail.\n\ncc: \tPatricia Hill, Director of Business Systems, Office of Inspector General\n    Mark Day, Director, Office of Technology Operations and Planning\n\n\n\n\n                                                  22\n\x0c                                          Attachment 1\n Summary of OEI Comments on Draft Audit Report, EPA\xe2\x80\x99s Computer Security Self-Assessment Process Needs\n                            Improvement Assignment No. 2003-000047\n                                          July 11, 2003\n\n\xe2\x80\xa2\t OEI is concerned about the overall tone of the report. While, there are multiple ways to analyze, interpret and\n   present findings, the report shows the Agency\xe2\x80\x99s security program in a poor light that we believe is inconsistent\n   with the actual status of the program. For example, the table titled, \xe2\x80\x9cSecurity Plan Reconcilation to NIST 800-18"\n   presents a \xe2\x80\x9cRate of Deficiency\xe2\x80\x9d that implies that virtually all EPA\xe2\x80\x99s security plans are so defective as to present a\n   serious security risk to the Agency. In some cases there is the implication of mismanagement by OEI or Agency\n   program officials. For example, the report states that \xe2\x80\x9cEPA management directed system owners to respond\n   incorrectly to the self-assessment questions because they misinterpreted NIST\xe2\x80\x99s guidance.\xe2\x80\x9d\n\n\xe2\x80\xa2\t OEI is concerned about the report\xe2\x80\x99s use of sweeping, broad generalizations that characterize a number of the\n   findings. The report identifies specific weaknesses in very specific areas and generalizes those findings across the\n   Agency security program. There are four findings which are of particular concern to OEI.\n\n   1-1 \t         OEI does not agree with the unqualified general conclusion that the 2002 GISRA results reported to\n                 OMB were based on unreliable data and may not accurately represent the status of EPA\xe2\x80\x99s\n                 information security program.\n\n        For EPA\xe2\x80\x99s information security program to be effective, it is e ssential for program officials to be able to\n        support their assessments. OEI requested the OIG to conduct an audit in this area and appreciates the OIG\xe2\x80\x99s\n        positive response to this request. We are concerned that some system managers were not able to provide\n        supporting documentation and we intend to follow-up on this finding. However, OEI\xe2\x80\x99s review of the OIG\xe2\x80\x99s\n        data concludes that of the eight questions reviewed by the OIG, there are only two questions where the\n        programs\xe2\x80\x99 ability to provide adequate supporting documentation is in question. OEI believes that an\n        unqualified Agency-wide finding that questions the validity of EPA\xe2\x80\x99s 2002 GISRA submission is\n        unwarranted. The details of OEI\xe2\x80\x99s analysis are covered in Attachment 2.\n\n   1-2 \t         In some cases the report uses a \xe2\x80\x9cjudgmental\xe2\x80\x9d sample to form the basis of Agency-wide conclusions.\n                 OEI\xe2\x80\x99s statistical experts advised us that it is not statistically valid to infer conclusions to the whole\n                 population based on the actions of a few judgmentally selected examples. Judgmental samples can\n                 only provide insight into the deficiencies of the selected few. Furthermore, OEI believes that the use\n                 of judgmental samples for FISMA evaluation purposes is inappropriate. FISMA section\n                 3545(a)(2)(A) states that OIG evaluations should be based on \xe2\x80\x9ca representative subset of the\n                 Agency\xe2\x80\x99s information systems.\xe2\x80\x9d\n\n   1-3 \t         The report finds that an Agency-wide deficiency exists in the implementation of technical controls\n                 on systems. It appears the audit reviewed only identification and authentication controls (not all\n                 technical controls as implied by the finding) of a judgmental sample of systems. It also appears that\n                 no actual testing of the effectiveness of controls was performed. Instead, the evaluation appears to\n                 have consisted of interviews and a review of documentation. OEI believes that this methodology\n                 does not support the Agency-wide finding in the report.\n\n   1-4 \t         The report finds that EPA did not adequately plan system controls because EPA\xe2\x80\x99s security planning\n                 guidance has not been revised to include NIST requirements. OEI believes that this finding is not\n                 supportable for two reasons. First, it is based on a judgmental sample of systems. Second, OEI\n                 believes that EPA\xe2\x80\x99s security planning, consisting of policy and guidance, has been substantially\n                 consistent with NIST guidance. There has never been a demonstration that the differences between\n                 EPA and NIST guidance were so substantial that there was a significant risk to the Agency\xe2\x80\x99s\n                 systems.\n\n\n\n\n                                                           23\n\x0c\xe2\x80\xa2\t OEI and the OIG have differences regarding the interpretation of some of the security mandates in the OMB\n   directives and NIST guidance. Our differences are noted in OEI\xe2\x80\x99s comments in Attachment 2. OEI recognizes that\n   the OIG may have legitimate different interpretations of guidance. Those differences should be noted in any audit.\n   However, OEI believes that differences of opinion about how to interpret guidance do not support a finding that\n   questions the reliability of EPA\xe2\x80\x99s report to OMB unless the OIG can demonstrate that OEI\xe2\x80\x99s guidance was\n   unreasonable and resulted in a substantial risk increase to the Agency.\n\n\xe2\x80\xa2\t The report does not appear to recognize how accountability and responsibility are assigned in FISMA and OMB\n   A-130. Frequently, the report places responsibility on OEI or the CIO for actions that FISMA and OMB A-130\n   clearly assign to program officials. An example is the finding that OEI is responsible for those systems that were\n   not reported in 2002, despite the fact that OEI provided clear guidance to the programs and made a diligent effort\n   to identify all Agency systems. The non-reported systems were, in fact, determined by the program officials to be\n   not reportable and OEI accordingly accepted their determination. OEI disagrees with the report\xe2\x80\x99s finding that there\n   is a systemic problem with system identification that is OEI\xe2\x80\x99s responsibility to remedy.\n\n\xe2\x80\xa2\t Throughout the report OEI is criticized for not validating the information provided by the programs. OEI\n   recognizes that it has a responsibility for ensuring effective implementation of the security program and OEI\n   intends to increase its oversight activities. However, the report holds OEI fully accountable for any misreporting\n   by program officials. Under FISMA program officials are responsible for security of the systems under their\n   control and the OIG also has a substantial role in validation. The June 12, 2003 information request from\n   Congressman Putnam to the Inspector General clearly expects that the OIG will play a significant role in\n   validating FISMA 2003 data.\n\n\n\n\n                                                          24\n\x0c                                          Attachment 2\n   Expanded OEI Comment on Draft Audit Report, EPA\xe2\x80\x99s Computer Security Self-Assessment Process Needs\n                             Improvement Assignment No. 2003-000047\n\n                                                 September 22, 2003\n\nOEI has informally provided the OIG staff with a marked-up version of the report containing comments for their\nconsideration. However OEI is formally submitting the following expanded comment.\n                                                    Chapter 2\n\nOEI Comment:\n\nFor EPA\xe2\x80\x99s information security program to be effective, it is essential for program officials to be able to support their\nassessments. OEI requested the OIG to conduct an audit in this area and appreciates the OIG\xe2\x80\x99s positive response to\nthis request. We are concerned that some system managers were not able to provide supporting documentation and we\nintend to follow-up on this finding. However, OEI\xe2\x80\x99s review of the OIG\xe2\x80\x99s data concludes that of the eight questions\nreviewed by the OIG, there are only two questions where the programs\xe2\x80\x99 ability to provide adequate supporting\ndocumentation is in question. OEI believes that an unqualified Agency-wide finding that questions the validity of\nEPA\xe2\x80\x99s 2002 GISRA submission is unwarranted.\n\nFor three of questions dealing with security planning (12.2.1, 5.2.1, 4.1.5), the OIG found that over 90 percent of the\nsystems reviewed were able to provide supporting documentation. For two questions dealing with contingency\nplanning (4.1.4, 9.2.1), OEI disagrees with the OIG interpretation of NIST guidance. OEI believes that it provided the\nprograms with consistent and correct guidance and that OEI accurately reported the status of contingency planning to\nOMB. OEI, in fact, reported that contingency planning is a problem with only 56 percent of the Agency systems\nhaving implemented contingency plans and only 18 percent having tested contingency plans. While the OIG and OEI\nmay disagree on how to characterize the issue, we appear to agree that contingency planning is a weakness that results\nin a \xe2\x80\x9cred\xe2\x80\x9d score on the Agency\xe2\x80\x99s internal security report card.\n\nFor the question regarding testing of controls (2.1.4), OEI disagrees with the OIG\xe2\x80\x99s interpretation of NIST guidance\nand believes that the Agency accurately reported the status of testing of controls to OMB. OEI in fact, reported that\nonly 64% of EPA\xe2\x80\x99s had tested controls, resulting in a \xe2\x80\x9cred\xe2\x80\x9d score on the Agency\xe2\x80\x99s internal security report card.\nAgain, while the OIG and OEI disagree on how to characterize the issue, we appear to agree that testing of controls is\na weakness for the Agency that needs further improvement.\n\nThe remaining two questions with low supporting scores deal with security plan approval (5.1.1) and budget (3.1.5).\nWe believe that an unqualified finding of inaccurate reporting is unwarranted and we should focus on understanding\nand correcting the underlying reasons for lack of supporting documentation. Some reasons include system owners\nsimply not responding, system owners not understanding the guidance, system owners not having the documentation,\nthe OIG finding the documentation inadequate, or underlying interpretation differences between OEI and OIG.\n\nOIG Recommendation:\n2-1.    Direct system owners to use NIST guidance to answer the security self-assessment questionnaire.\nOEI Comment:\n   OEI concurs with this recommendation. OEI is establishing a procedure under the Agency Network Security\nPolicy to require the use of applicable NIST guidance as the basis of all Agency IT-related policies and procedures.\nOEI notes, however, that in some cases, NIST guidance may require interpretation and/or application to EPA\xe2\x80\x99s\nspecific situation.\n\nOIG Recommendation:\n2-2. Develop and implement a comprehensive quality assurance program that, at a minimum:\n        \xe2\x80\xa2\t Validates self-assessment responses by sampling systems and responses to determine if the responses\n             are adequately supported.\n        \xe2\x80\xa2\t Requires system owners to complete a Plan of Actions and Milestones to correct any noted\n             deficiencies.\n\n\n\n\n                                                           25\n\x0c           \xe2\x80\xa2\t  Establishes a process to follow up on identified deficiencies and ensure that appropriate corrective\n               actions have been implemented.\nOEI Comment:\n       OEI concurs with this recommendation. OEI is establishing a new Agency-level FMFIA weakness that\ncommits OEI to expanding its Agency-wide testing and evaluation program. Additional FTEs have been transferred\ninto TISS specifically for testing and evaluation. OEI has a well established system for creating and tracking Plans of\nActions and Milestones.\n\n                                                      Chapter 3\n\nOIG Recommendation:\n3-1.\t Coordinate with system owners to amend EPA\xe2\x80\x99s systems inventory to add the seven missing major applications\n        noted in this report.\nOEI Comment:\n        OEI concurs with this recommendation. OEI established clear criteria for systems to be included in the GISRA\nreport and made a diligent effort to identify systems across the Agency. Where system owners determined that certain\nsystems did not meet the criteria, OEI requested documentation of that decision. In further discussions with OIG staff,\nit has become clear that several of the systems excluded from the systems inventory actually did meet OEI\xe2\x80\x99s criteria\nand should have been included by the system owners. The OIG staff is providing documentation to OEI and OEI will\ncoordinate with the system owners to ensure that the systems in question are included unless the system owners can\nprovide adequate documentation to the contrary.\n\nOIG Recommendation:\n3-2.\t Include in the quality assurance program referred to in Recommendation 2-2 a process to validate that all major\n        IT systems are accounted for on EPA\xe2\x80\x99s system inventory.\nOEI Comment:\n        OEI concurs with this recommendation with the understanding that OEI can not guarantee that all major IT\nsystems are actually included in the systems inventory. Under FISMA, the responsibility for categorization of systems\nis the responsibility of the program official. OEI will make a diligent effort, under its quality assurance program, to\nvalidate that all major applications and general support systems are accounted for in the Agency\xe2\x80\x99s system inventory.\nNIST has published a draft Federal Information Processing Standard (FIPS PUB 199) as required under FISMA that\nestablishes standards for system security categorization. Once the FIPS 199 is finalized, OEI plans to re-evaluate its\ncriteria and process for determining system security categorization.\n\n                                                      Chapter 4\n\nOEI Comment:\n\n       OEI does not agree that the audit methodology supports the conclusion that OEI did not provide proper\noversight to ensure implementation of technical security controls. We base this comment on the following:\n       1. The audit report states that the sample used to make this determination was six systems that were\njudgmentally selected.\n       2. Only identification and authentication controls, which are a subset of technical controls, were evaluated.\n       3. It is not clear from the audit report that any actual testing was performed.\n\n      OEI believes that a small judgmental sample, combined with evaluation of only a subset of technical controls\ndoes not support a broad Agency-wide conclusion for all technical controls.\n\nOIG Recommendation:\n4-1. \t Ensure system owners strengthen technical controls by tracking identified deficiencies in a Plan of Actions and\n       Milestones.\n\nOEI Comment:\n     OEI does not concur with this recommendation for the reasons stated above.\n                                                 Chapter 5\n\nOEI Comment:\n\n\n\n\n                                                          26\n\x0cOEI does not agree with how the information is presented in the Table, \xe2\x80\x9cSecurity Plan Reconciliation to NIST 800\n18.\xe2\x80\x9d The table implies that EPA\xe2\x80\x99s security plans are so deficient as to present a significant security risk to the Agency.\nThe table appears to actually represent the percentage of those plans reviewed that contained a deficiency. OEI\nbelieves that the Agency has had effective information security planning guidance that meets the requirements of\nOMB A-130, Appendix III. This guidance, when properly followed, has resulted in good security plans. In addition,\nOEI has done a considerable amount of work with owners of CPIC systems to upgrade the quality of their security\nplans.\n\nOIG Recommendation:\n   5-1.\t     Establish a Plan of Actions and Milestones, including an estimated completion date, as to when all EPA\n             systems security plans will be revised to comply with NIST 800-18 requirements.\nOEI Comment:\nWhile OEI does not agree with the basis for this recommendation as described in the audit report, OEI does concur\nwith the recommendation that NIST 800-18 should be the basis for Agency information security plans. OEI has\nformally adopted NIST 800-18 as the basis for Agency security plans. All new security plans and major revisions to\nexisting security plans must be consistent with NIST 800-18.\n\n\n\n\n                                                           27\n\x0c28\n\n\x0c                                                                                   Appendix C\n\n                          NIST Control Elements\nApplication Software Maintenance Controls - used to monitor the installation of, and\nupdates to, application software to ensure that the software functions as expected and that a\nhistorical record is maintained of application changes.\n\nHardware System Software Maintenance Controls - used to monitor the installation of and\nupdates to hardware, operating system software, and other software to ensure that the hardware\nand software function as expected and that a historical record is maintained of application\nchanges.\n\nReview of Security Controls - an independent security review, assessment, or evaluation of\nthe system security controls.\n\nIdentification and Authentication Controls - technical measures that prevent unauthorized\npeople (or unauthorized processes) from entering an IT system.\n\nData Integrity/Validation Controls - used to protect data from accidental or malicious\nalteration or destruction and to provide assurance to the user that the information meets\nexpectations about its quality.\n\nIntegrity Controls - used to protect the operating system, applications, and information in the\nsystem from accidental or malicious alteration or destruction and to provide assurance to the\nuser that the information meets expectations about its quality.\n\nLogical Access Controls - system-based mechanisms used to specify who or what is to have\naccess to a specific system resource and the type of access that is permitted.\n\nContingency Planning - procedures that would be followed to ensure the application\ncontinues to be processed if the supporting IT systems were unavailable.\n\nAudit Trails - a record of system activity by system or application processes and by user\nactivity.\n\nPersonnel Security - policies and procedures implemented and executed by people to prevent\ndisruption, damage, loss, or other adverse impact due to the well-intentioned actions of\nindividuals authorized to use or maintain a system (e.g., background screening, procedures to\nterminate users access).\n\nAuthorized Processing - the authorization granted by a management official for a system to\nprocess information.\n\n\n\n\n                                              29\n\x0c30\n\n\x0c                                                                                 Appendix D\n\n                                     Distribution\n\nDirector, Office of Technology, Operations, and Planning (2831T)\nDirector, Office of Technology, Operations, and Planning/Technical Information Security Staff\n       (2831T)\nComptroller (2731A)\nAgency Followup Official (the CFO) (2710A)\nAgency Audit Followup Coordinator (2724)\nAudit Follow-up Coordinator, Office of Environmental Information (2811R)\nAudit Liaison, Office of Environmental Information (2812A)\nInspector General (2410)\n\n\n\n\n                                              31\n\x0c'